CVE-2023-50707 - OpenCVE

Through the exploitation of active user sessions, an attacker could send custom requests to cause a denial-of-service condition on the device.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Efacec	Bcu 500 Firmware Bcu 500

Configuration 1 [-]

AND

cpe:2.3:o:efacec:bcu_500_firmware:4.07:*:*:*:*:*:*:*

cpe:2.3:h:efacec:bcu_500:-:*:*:*:*:*:*:*

References

Link	Resource
https://www.cisa.gov/news-events/ics-advisories/icsa-23-353-02	Third Party Advisory US Government Resource

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: icscert

Published: 2023-12-19T23:18:26.771Z

Updated: 2023-12-19T23:18:26.771Z

Reserved: 2023-12-11T16:37:13.794Z

Link: CVE-2023-50707

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-12-20T00:15:09.643

Modified: 2023-12-29T16:19:20.037

Link: CVE-2023-50707

JSON object: View

Redhat Information

No data.

CWE

CWE-400

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-50707", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "state": "PUBLISHED", "assignerShortName": "icscert", "dateReserved": "2023-12-11T16:37:13.794Z", "datePublished": "2023-12-19T23:18:26.771Z", "dateUpdated": "2023-12-19T23:18:26.771Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "BCU 500", "vendor": "EFACEC", "versions": [{"status": "affected", "version": "version 4.07"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Aar\u00f3n Flecha Men\u00e9ndez of S21sec "}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\n<p>Through the exploitation of active user sessions, an attacker could send custom requests to cause a denial-of-service condition on the device.</p><br>\n\n"}], "value": "\nThrough the exploitation of active user sessions, an attacker could send custom requests to cause a denial-of-service condition on the device.\n\n\n\n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.6, "baseSeverity": "CRITICAL", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2023-12-19T23:18:26.771Z"}, "references": [{"tags": ["government-resource"], "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-353-02"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\n<p>EFACEC released BCU 500 versions 4.08 to mitigate this vulnerability.</p><p>For more information, contact <a target=\"_blank\" rel=\"nofollow\" href=\"https://www.efacec.pt/en/contacts/\">EFACEC support</a>.</p>\n\n<br>"}], "value": "\nEFACEC released BCU 500 versions 4.08 to mitigate this vulnerability.\n\nFor more information, contact EFACEC support https://www.efacec.pt/en/contacts/ .\n\n\n\n\n"}], "source": {"discovery": "UNKNOWN"}, "title": "Uncontrolled Resource Consumption in EFACEC BCU 500", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:efacec:bcu_500_firmware:4.07:*:*:*:*:*:*:*", "matchCriteriaId": "62E65B01-DC85-484D-8133-D2CEF60C1D67", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:efacec:bcu_500:-:*:*:*:*:*:*:*", "matchCriteriaId": "B98DBC89-789C-4C56-B8B3-72675FDA9CE1", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "\nThrough the exploitation of active user sessions, an attacker could send custom requests to cause a denial-of-service condition on the device.\n\n\n\n\n"}, {"lang": "es", "value": "Mediante la explotaci\u00f3n de sesiones de usuarios activos, un atacante podr\u00eda enviar solicitudes personalizadas para provocar una condici\u00f3n de denegaci\u00f3n de servicio en el dispositivo."}], "id": "CVE-2023-50707", "lastModified": "2023-12-29T16:19:20.037", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.6, "baseSeverity": "CRITICAL", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 5.8, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}, "published": "2023-12-20T00:15:09.643", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-353-02"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-400"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}